MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

jq sort keys 

Allows automation to edit the files
pull/283/head
Christophe Vandeplas 2018-10-12 10:34:13 +02:00
parent 4ff2a45cbb
commit 2fbd8ce485
49 changed files with 6527 additions and 6526 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
clusters/android.json
View File

@ -4463,8 +4463,6 @@
"https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/"
]
},
"uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§",
"value": "HenBox",
"related": [
{
"dest-uuid": "36ee04f4-a9df-11e8-b92b-d7ddfd3a8896",
@ -4473,7 +4471,9 @@
],
"type": "similar"
}
]
],
"uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§",
"value": "HenBox"
},
{
"description": "Cybercriminals are currently developing a new strain of malware targeting Android devices which blends the features of a banking trojan, keylogger, and mobile ransomware.",
@ -4496,24 +4496,24 @@
"value": "Skygofree"
},
{
"value": "BusyGasper",
"description": "A new family of spyware for Android grabbed the attention of security researchers through its unusual set of features and their original implementation. Tagged BusyGasper by security experts at Kaspersky, the malware stands out through its ability to monitor the various sensors present on the targeted phone. Based on the motion detection logs, it can recognize the opportune time for running and stopping its activity.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/unsophisticated-android-spyware-monitors-device-sensors/"
]
},
"uuid": "1c8e8070-bfe2-11e8-8c3e-7f31c66687a2"
"uuid": "1c8e8070-bfe2-11e8-8c3e-7f31c66687a2",
"value": "BusyGasper"
},
{
"value": "Triout",
"description": "Bitdefender says Triout samples they discovered were masquerading in a clone of a legitimate application, but they were unable to discover where this malicious app was being distributed from. The obvious guess would be via third-party Android app stores, or app-sharing forums, popular in some areas of the globe.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/new-android-triout-malware-can-record-phone-calls-steal-pictures/"
]
},
"uuid": "08965226-c8a9-11e8-ad82-b3fe44882268"
"uuid": "08965226-c8a9-11e8-ad82-b3fe44882268",
"value": "Triout"
}
],
"version": 14

12
clusters/backdoor.json
View File

@ -5,7 +5,6 @@
"description": "A list of backdoor malware.",
"name": "Backdoor",
"source": "Open Sources",
"version": 2,
"type": "backdoor",
"uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf",
"values": [
@ -17,11 +16,10 @@
"https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html"
]
},
"value": "WellMess",
"uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd"
"uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd",
"value": "WellMess"
},
{
"value": "Rosenbridge",
"description": "The rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU. It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the 'deeply embedded instruction set'), bypassing all memory protections and privilege checks.\n\nWhile the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.\n\nThe rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU's memory, but its register file and execution pipeline as well.",
"meta": {
"date": "August 2018",
@ -31,7 +29,9 @@
"https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Christopher%20Domas/DEFCON-26-Christopher-Domas-GOD-MODE-%20UNLOCKED-hardware-backdoors-in-x86-CPUs.pdf"
]
},
"uuid": "2bb165dc-9f93-11e8-ae64-d3dbab0dd786"
"uuid": "2bb165dc-9f93-11e8-ae64-d3dbab0dd786",
"value": "Rosenbridge"
}
]
],
"version": 2
}

4
clusters/banker.json
View File

@ -830,14 +830,14 @@
"value": "Kronos"
},
{
"value": "CamuBot",
"description": "A newly discovered banking Trojan departs from the regular tactics observed by malware researchers by choosing visible installation and by adding social engineering components.\nCamuBot appeared last month in Brazil targeting companies and organizations from the public sector. The victim is the one installing the malware, at the instructions of a human operator that pretends to be a bank employee.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-a-security-module/ "
]
},
"uuid": "2fafe8b2-b0db-11e8-a81e-4b62ee50bd87"
"uuid": "2fafe8b2-b0db-11e8-a81e-4b62ee50bd87",
"value": "CamuBot"
}
],
"version": 13

16
clusters/botnet.json
View File

@ -842,7 +842,6 @@
"value": "Bamital"
},
{
"value": "Gafgyt",
"description": "Linux.Gafgyt is a Trojan horse that opens a back door on the compromised computer and steals information. The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWalls Global Management System (GMS).",
"meta": {
"refs": [
@ -853,10 +852,10 @@
"Bashlite"
]
},
"uuid": "40795af6-b721-11e8-9fcb-570c0b384135"
"uuid": "40795af6-b721-11e8-9fcb-570c0b384135",
"value": "Gafgyt"
},
{
"value": "Sora",
"description": "Big changes on the IoT malware scene. Security researchers have spotted a version of the Mirai IoT malware that can run on a vast range of architectures, and even on Android devices. This Mirai malware strain is called Sora, a strain that was first spotted at the start of the year.Initial versions were nothing out of the ordinary, and Sora's original author soon moved on to developing the Mirai Owari version, shortly after Sora's creation.",
"meta": {
"refs": [
@ -889,27 +888,28 @@
"type": "variant-of"
}
],
"uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56"
"uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56",
"value": "Sora"
},
{
"value": "Torii",
"description": " we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses. The developers of the botnet seek wide coverage and for this purpose they created binaries for multiple CPU architectures, tailoring the malware for stealth and persistence.",
"meta": {
"refs": [
"https://blog.avast.com/new-torii-botnet-threat-research",
"https://www.bleepingcomputer.com/news/security/new-iot-botnet-torii-uses-six-methods-for-persistence-has-no-clear-purpose/"
]
}
},
"value": "Torii"
},
{
"value": "Persirai",
"description": "A new Internet of Things (IoT) botnet called Persirai (Detected by Trend Micro as ELF_PERSIRAI.A) has been discovered targeting over 1,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products. This development comes on the heels of Mirai—an open-source backdoor malware that caused some of the most notable incidents of 2016 via Distributed Denial-of-Service (DDoS) attacks that compromised IoT devices such as Digital Video Recorders (DVRs) and CCTV cameras—as well as the Hajime botnet.",
"meta": {
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/"
]
},
"uuid": "e3e91fe2-c7ce-11e8-8e85-6bc15cd2a63c"
"uuid": "e3e91fe2-c7ce-11e8-8e85-6bc15cd2a63c",
"value": "Persirai"
}
],
"version": 15

2
clusters/branded_vulnerability.json
View File

@ -149,13 +149,13 @@
"value": "ImageTragick"
},
{
"description": "Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.",
"meta": {
"logo": [
"http://blacknurse.dk/____impro/1/onewebmedia/blacknurse2.png?etag=W%2F%2214e7-5761287d%22&sourceContentType=image%2Fpng&ignoreAspectRatio&resize=200%2B200&extract=0%2B40%2B200%2B114"
]
},
"uuid": "3c2325e4-b740-11e8-9504-b32b4d974add",
"description": "Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.",
"value": "Blacknurse"
}
],

12032
clusters/malpedia.json
View File

File diff suppressed because it is too large Load Diff

14
clusters/microsoft-activity-group.json
View File

@ -205,27 +205,27 @@
"value": "ZIRCONIUM"
},
{
"value": "https://www.cfr.org/interactive/cyber-operations/mythic-leopard",
"description": "This threat actor uses social engineering and spear phishing to target military and defense organizations in India, for the purpose of espionage.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/mythic-leopard"
],
"cfr-suspected-state-sponsor": "Pakistan",
"cfr-suspected-victims": [
"India"
],
"cfr-suspected-state-sponsor": "Pakistan",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/mythic-leopard"
],
"synonyms": [
"C-Major",
"Transparent Tribe"
]
},
"uuid": "2a410eea-a9da-11e8-b404-37b7060746c8"
"uuid": "2a410eea-a9da-11e8-b404-37b7060746c8",
"value": "https://www.cfr.org/interactive/cyber-operations/mythic-leopard"
}
],
"version": 5

174
clusters/ransomware.json
View File

@ -3236,16 +3236,16 @@
"https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/"
]
},
"uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b",
"related": [
{
"dest-uuid": "15a30d84-4f5f-4b75-a162-e36107d30215",
"type": "similar",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
]
],
"type": "similar"
}
],
"uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b",
"value": "Dharma Ransomware"
},
{
@ -9064,16 +9064,16 @@
"CrySiS"
]
},
"uuid": "15a30d84-4f5f-4b75-a162-e36107d30215",
"related": [
{
"dest-uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b",
"type": "similar",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
]
],
"type": "similar"
}
],
"uuid": "15a30d84-4f5f-4b75-a162-e36107d30215",
"value": "Virus-Encoder"
},
{
@ -9799,17 +9799,17 @@
{
"description": "LockCrypt is an example of yet another simple ransomware created and used by unsophisticated attackers. Its authors ignored well-known guidelines about the proper use of cryptography. The internal structure of the application is also unprofessional. Sloppy, unprofessional code is pretty commonplace when ransomware is created for manual distribution. Authors dont take much time preparing the attack or the payload. Instead, theyre rather focused on a fast and easy gain, rather than on creating something for the long run. Because of this, they could easily be defeated.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/lockcrypt-ransomware-cracked-due-to-bad-crypto/",
"https://twitter.com/malwrhunterteam/status/1034436350748053504",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
],
"extensions": [
".BadNews"
],
"ransomnotes": [
"How To Decode Files.hta",
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlsLwUjXsAA0xyY[1].jpg"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/lockcrypt-ransomware-cracked-due-to-bad-crypto/",
"https://twitter.com/malwrhunterteam/status/1034436350748053504",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
]
},
"uuid": "ac070e9a-3cbe-11e8-9f9d-839e888f2340",
@ -10387,55 +10387,50 @@
"value": "Unnamed Android Ransomware"
},
{
"value": "KEYPASS",
"description": "A new distribution campaign is underway for a STOP Ransomware variant called KeyPass based on the amount of victims that have been seen. Unfortunately, how the ransomware is being distributed is unknown at this time.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/"
],
"synonyms": [
"KeyPass"
"extensions": [
".KEYPASS"
],
"ransomnotes": [
"!!!KEYPASS_DECRYPTION_INFO!!!.txt",
"Attention!\n\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS\n\nThe only method of recovering files is to purchase an decrypt software and unique private key.\n\nAfter purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.\n\nOnly we can give you this key and only we can recover your files.\n\nYou need to contact us by e-mail keypass@bitmessage.ch send us your personal ID and wait for further instructions.\n\nFor you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.\n\nPrice for decryption $300.\n\nThis price avaliable if you contact us first 72 hours.\n\nE-mail address to contact us:\n\nkeypass@bitmessage.ch\n\n\n\nReserve e-mail address to contact us:\n\nkeypass@india.com\n\n\n\nYour personal id:\n[id]"
],
"extensions": [
".KEYPASS"
"refs": [
"https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/"
],
"synonyms": [
"KeyPass"
]
},
"uuid": "22b4070e-9efe-11e8-b617-ab269f54596c"
"uuid": "22b4070e-9efe-11e8-b617-ab269f54596c",
"value": "KEYPASS"
},
{
"value": "STOP Ransomware",
"uuid": "c76c4d24-9f99-11e8-808d-a7f1c66a53c5"
"uuid": "c76c4d24-9f99-11e8-808d-a7f1c66a53c5",
"value": "STOP Ransomware"
},
{
"value": "Barack Obama's Everlasting Blue Blackmail Virus Ransomware",
"description": "A new ransomware that only encrypts .EXE files on a computer. It then displays a screen with a picture of President Obama that asks for a \"tip\" to decrypt the files.",
"meta": {
"ransomnotes": [
"https://www.bleepstatic.com/images/news/ransomware/b/barack-obama-ransomware/barack-obama-everlasting-blue-blackmail-virus.jpg",
"Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.\nSo you can decrypt it, but you have to tip it. This is a big thing. You can email this email: 2200287831@qq.com gets more information."
],
"refs": [
"https://twitter.com/malwrhunterteam/status/1032242391665790981",
"https://www.bleepingcomputer.com/news/security/barack-obamas-blackmail-virus-ransomware-only-encrypts-exe-files/"
],
"synonyms": [
"Barack Obama's Blackmail Virus Ransomware"
],
"ransomnotes": [
"https://www.bleepstatic.com/images/news/ransomware/b/barack-obama-ransomware/barack-obama-everlasting-blue-blackmail-virus.jpg",
"Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.\nSo you can decrypt it, but you have to tip it. This is a big thing. You can email this email: 2200287831@qq.com gets more information."
]
},
"uuid": "1a98f5ca-b024-11e8-b828-1fb7dbd6619e"
"uuid": "1a98f5ca-b024-11e8-b828-1fb7dbd6619e",
"value": "Barack Obama's Everlasting Blue Blackmail Virus Ransomware"
},
{
"value": "CryptoNar",
"description": "When the CryptoNar, or Crypto Nar, Ransomware encrypts a victims files it will perform the encryption differently depending on the type of file being encrypted.\nIf the targeted file has a .txt or .md extension, it will encrypt the entire file and append the .fully.cryptoNar extension to the encrypted file's name. All other files will only have the first 1,024 bytes encrypted and will have the .partially.cryptoNar extensions appended to the file's name.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/cryptonar-ransomware-discovered-and-quickly-decrypted/",
"https://twitter.com/malwrhunterteam/status/1034492151541977088"
],
"extensions": [
".fully.cryptoNar",
".partially.cryptoNar"
@ -10443,9 +10438,12 @@
"ransomnotes": [
"CRYPTONAR RECOVERY INFORMATION.txt",
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/ransom-note.jpg"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/cryptonar-ransomware-discovered-and-quickly-decrypted/",
"https://twitter.com/malwrhunterteam/status/1034492151541977088"
]
},
"uuid": "10f92054-b028-11e8-a51f-2f82236ac72d",
"related": [
{
"dest-uuid": "2fb307a2-8752-4521-8973-75b68703030d",
@ -10454,24 +10452,25 @@
],
"type": "similar"
}
]
],
"uuid": "10f92054-b028-11e8-a51f-2f82236ac72d",
"value": "CryptoNar"
},
{
"value": "CreamPie Ransomware",
"description": "Jakub Kroustek found what appears to be an in-dev version of the CreamPie Ransomware. It does not currently display a ransom note, but does encrypt files and appends the .[backdata@cock.li].CreamPie extension to them.",
"meta": {
"extensions": [
".[backdata@cock.li].CreamPie"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/",
"https://twitter.com/JakubKroustek/status/1033656080839139333"
],
"extensions": [
".[backdata@cock.li].CreamPie"
]
},
"uuid": "1b5a756e-b034-11e8-9e7d-c3271796acab"
"uuid": "1b5a756e-b034-11e8-9e7d-c3271796acab",
"value": "CreamPie Ransomware"
},
{
"value": "Jeff the Ransomware",
"description": "Looks to be in-development as it does not encrypt.",
"meta": {
"refs": [
@ -10479,16 +10478,12 @@
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
]
},
"uuid": "7854c8bc-b036-11e8-bfb0-4ff71e54bbb2"
"uuid": "7854c8bc-b036-11e8-bfb0-4ff71e54bbb2",
"value": "Jeff the Ransomware"
},
{
"value": "Cassetto Ransomware",
"description": "Michael Gillespie saw an encrypted file uploaded to ID Ransomware that appends the .cassetto extension and drops a ransom note named IMPORTANT ABOUT DECRYPT.txt.",
"meta": {
"refs": [
"https://twitter.com/demonslay335/status/1034213399922524160",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
],
"extensions": [
".cassetto"
],
@ -10496,100 +10491,104 @@
"IMPORTANT ABOUT DECRYPT.txt",
"L!W2Be%BS4\nWARNING!! YOU ARE SO F*UCKED!!!\n\nYour Files Has Encrypted\n\nWhat happened to your files?\nAll of your files were protected by a strong encryptation\nThere is no way to decrypt your files without the key.\nIf your files not important for you just reinstall your system.\nx§If your files is important just email us to discuss the the price and how to decrypt your files.\n\nYou can email us to omg-help-me@openmailbox.org\n\nWe accept just BITCOIN if you don´t know what it is just google it.\nWe will give instructions where and how you buy bitcoin in your country.\nPrice depends on how important your files and network is.\nIt could be 0.5 bitcoin to 25 bitcoin.\nYou can send us a encrypted file for decryption.\nFell free to email us with your country, computer name and username of the infected system.",
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlpDe-kXsAA2lmH[1].jpg"
],
"refs": [
"https://twitter.com/demonslay335/status/1034213399922524160",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
]
},
"uuid": "7d3287f0-b03d-11e8-b1ef-23485f43e7f9"
"uuid": "7d3287f0-b03d-11e8-b1ef-23485f43e7f9",
"value": "Cassetto Ransomware"
},
{
"value": "Acroware Cryptolocker Ransomware",
"description": "Leo discovered a screenlocker that calls itself Acroware Cryptolocker Ransomware. It does not encrypt.",
"meta": {
"ransomnotes": [
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dlq8W3FXoAAYR1v[1].jpg"
],
"refs": [
"https://twitter.com/leotpsc/status/1034346447112679430",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
],
"synonyms": [
"Acroware Screenlocker"
],
"ransomnotes": [
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dlq8W3FXoAAYR1v[1].jpg"
]
},
"uuid": "f1b76b66-b044-11e8-8ae7-cbe7e28dd584"
"uuid": "f1b76b66-b044-11e8-8ae7-cbe7e28dd584",
"value": "Acroware Cryptolocker Ransomware"
},
{
"value": "Termite Ransomware",
"description": "Ben Hunter discovered a new ransomware called Termite Ransomware. When encrypting a computer it will append the .aaaaaa extension to encrypted files.",
"meta": {
"refs": [
"https://twitter.com/B_H101/status/1034379267956715520",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
],
"extensions": [
".aaaaaa"
],
"ransomnotes": [
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlraMbTWwAA_367[1].jpg"
],
"refs": [
"https://twitter.com/B_H101/status/1034379267956715520",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
]
},
"uuid": "a8a772b4-b04d-11e8-ad94-ab9124dff412"
"uuid": "a8a772b4-b04d-11e8-ad94-ab9124dff412",
"value": "Termite Ransomware"
},
{
"value": "PICO Ransomware",
"description": "S!Ri found a new Thanatos Ransomware variant called PICO Ransomware. This ransomware will append the .PICO extension to encrypted files and drop a ransom note named README.txt.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/",
"https://twitter.com/siri_urz/status/1035138577934557184"
],
"synonyms": [
"Pico Ransomware"
],
"extensions": [
".PICO"
],
"ransomnotes": [
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dl2M9kdX0AAcGbJ[1].jpg",
"README.txt"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/",
"https://twitter.com/siri_urz/status/1035138577934557184"
],
"synonyms": [
"Pico Ransomware"
]
},
"uuid": "5d0c28f6-b050-11e8-95a8-7b8e480b9bd2"
"uuid": "5d0c28f6-b050-11e8-95a8-7b8e480b9bd2",
"value": "PICO Ransomware"
},
{
"value": "Sigma Ransomware",
"description": "Today one of our volunteers, Aura, told me about a new new malspam campaign pretending to be from Craigslist that is under way and distributing the Sigma Ransomware. These spam emails contain password protected Word or RTF documents that download the Sigma Ransomware executable from a remote site and install it on a recipients computer.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/"
],
"ransomnotes": [
"https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/ransom-note-html-part_01.jpg",
"https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/ransom-note-html-part_02.jpg",
"https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/payment-portal.jpg",
"ReadMe.txt"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/"
]
},
"uuid": "df025902-b29e-11e8-a2ab-739167419c52"
"uuid": "df025902-b29e-11e8-a2ab-739167419c52",
"value": "Sigma Ransomware"
},
{
"value": "Crypt0saur",
"uuid": "32406292-b738-11e8-ab97-1f674b130624"
"uuid": "32406292-b738-11e8-ab97-1f674b130624",
"value": "Crypt0saur"
},
{
"value": "Mongo Lock",
"description": "An attack called Mongo Lock is targeting remotely accessible and unprotected MongoDB databases, wiping them, and then demanding a ransom in order to get the contents back. While this new campaign is using a name to identify itself, these types of attacks are not new and MongoDB databases have been targeted for a while now. These hijacks work by attackers scanning the Internet or using services such as Shodan.io to search for unprotected MongoDB servers. Once connected, the attackers may export the databases, delete them, and then create a ransom note explaining how to get the databases back.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/mongo-lock-attack-ransoming-deleted-mongodb-databases/"
],
"ransomnotes": [
"Your database was encrypted by 'Mongo Lock'. if you want to decrypt your database, need to be pay us 0.1 BTC (Bitcoins), also don't delete 'Unique_KEY' and save it to safe place, without that we cannot help you. Send email to us: mongodb@8chan.co for decryption service."
],
"refs": [
"https://www.bleepingcomputer.com/news/security/mongo-lock-attack-ransoming-deleted-mongodb-databases/"
]
},
"uuid": "2aa481fe-c254-11e8-ad1c-efee78419960"
"uuid": "2aa481fe-c254-11e8-ad1c-efee78419960",
"value": "Mongo Lock"
},
{
"value": "Kraken Cryptor Ransomware",
"description": "The Kraken Cryptor Ransomware is a newer ransomware that was released in August 2018. A new version, called Kraken Cryptor 1.5, was recently released that is masquerading as the legitimate SuperAntiSpyware anti-malware program in order to trick users into installing it. ",
"meta": {
"refs": [
@ -10597,23 +10596,24 @@
"https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/"
]
},
"uuid": "c49f88f6-c87d-11e8-b005-d76e8162ced5"
"uuid": "c49f88f6-c87d-11e8-b005-d76e8162ced5",
"value": "Kraken Cryptor Ransomware"
},
{
"value": "SAVEfiles",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-pushing-the-savefiles-ransomware/"
],
"extensions": [
".SAVEfiles."
],
"ransomnotes": [
"!!!SAVE__FILES__INFO!!!.txt",
"https://www.bleepstatic.com/images/news/security/f/fallout-exploit-kit/savefiles/ransom-note-red.jpg"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-pushing-the-savefiles-ransomware/"
]
},
"uuid": "76bfb132-cc70-11e8-8623-bb3f209be6c9"
"uuid": "76bfb132-cc70-11e8-8623-bb3f209be6c9",
"value": "SAVEfiles"
}
],
"version": 37

16
clusters/rat.json
View File

@ -22,18 +22,18 @@
{
"description": "JadeRAT is just one example of numerous mobile surveillanceware families we've seen in recent months, indicating that actors are continuing to incorporate mobile tools in their attack chains. Threat actor, using a tool called JadeRAT, targets the mobile phones of ethnic minorities in China, notably Uighurs, for the purpose of espionage. ",
"meta": {
"refs": [
"https://blog.lookout.com/mobile-threat-jaderat",
"https://www.cfr.org/interactive/cyber-operations/jaderat"
],
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"Ethnic minorities in China"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Civil society"
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://blog.lookout.com/mobile-threat-jaderat",
"https://www.cfr.org/interactive/cyber-operations/jaderat"
]
},
"uuid": "1cc8963b-5ad4-4e19-8e9a-57b0ff1ef926",
@ -2926,7 +2926,6 @@
"value": "Hallaj PRO RAT"
},
{
"value": "NukeSped",
"description": "This threat can install other malware on your PC, including Trojan:Win32/NukeSped.B!dha and Trojan:Win32/NukeSped.C!dha. It can show you a warning message that says your files will be made publically available if you don't follow the malicious hacker's commands. \n",
"meta": {
"refs": [
@ -2938,7 +2937,8 @@
"https://www.alienvault.com/forums/discussion/17301/alienvault-labs-threat-intelligence-update-for-usm-anywhere-march-25-march-31-2018"
]
},
"uuid": "5d0369ee-c718-11e8-b328-035ed1bdca07"
"uuid": "5d0369ee-c718-11e8-b328-035ed1bdca07",
"value": "NukeSped"
}
],
"version": 18

368
clusters/threat-actor.json
View File

@ -1111,8 +1111,6 @@
"Royal APT"
]
},
"uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8",
"value": "Mirage",
"related": [
{
"dest-uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10",
@ -1121,7 +1119,9 @@
],
"type": "similar"
}
]
],
"uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8",
"value": "Mirage"
},
{
"description": "PLA Navy",
@ -5073,6 +5073,17 @@
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor targets organizations involved in oil, gas, and electricity production, primarily in the Gulf region, for espionage purposes. According to one cybersecurity company, the threat actor “compromises a target machine and passes it off to another threat actor for further exploitation.”",
"meta": {
"capabilities": "Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR",
"cfr-suspected-state-sponsor": "Unknown",
"cfr-suspected-victims": [
"Iraq",
"United Kingdom",
"Pakistan",
"Israel"
],
"cfr-target-category": [
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"mode-of-operation": "IT compromise, information gathering and recon against industrial orgs",
"refs": [
"https://dragos.com/adversaries.html",
@ -5084,18 +5095,7 @@
"OilRig",
"Greenbug"
],
"victimology": "Oil and Gas, Manufacturing, Europe, MENA, North America",
"cfr-suspected-victims": [
"Iraq",
"United Kingdom",
"Pakistan",
"Israel"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
]
"victimology": "Oil and Gas, Manufacturing, Europe, MENA, North America"
},
"related": [
{
@ -5190,6 +5190,14 @@
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor compromises the networks of companies involved in electric power, specifically looking for intellectual property and information about the companies operations.",
"meta": {
"capabilities": "Encoded binaries in documents, evasion techniques",
"cfr-suspected-state-sponsor": "Unknown",
"cfr-suspected-victims": [
"United States"
],
"cfr-target-category": [
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"mode-of-operation": "IT compromise with hardened anti-analysis malware against industrial orgs",
"refs": [
"https://dragos.com/adversaries.html",
@ -5201,15 +5209,7 @@
"Lazarus",
"Hidden Cobra"
],
"victimology": "Electric Utilities, US",
"cfr-suspected-victims": [
"United States"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
]
"victimology": "Electric Utilities, US"
},
"related": [
{
@ -5234,6 +5234,14 @@
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor targets industrial control systems in Turkey, Europe, and North America.\n Believed to be linked to Crouching Yeti",
"meta": {
"capabilities": "GOODOR, DORSHEL, KARAGANY, Mimikatz",
"cfr-suspected-state-sponsor": "Unknown",
"cfr-suspected-victims": [
"Turkey"
],
"cfr-target-category": [
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details",
"refs": [
"https://dragos.com/adversaries.html",
@ -5245,15 +5253,7 @@
"Dragonfly2",
"Berserker Bear"
],
"victimology": "Turkey, Europe, US",
"cfr-suspected-victims": [
"Turkey"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
]
"victimology": "Turkey, Europe, US"
},
"uuid": "a08ab076-33c1-4350-b021-650c34277f2d",
"value": "DYMALLOY"
@ -5332,6 +5332,26 @@
{
"description": "Experts assigned the codename of LuckyMouse to the group behind this hack, but they later realized the attackers were an older Chinese threat actor known under various names in the reports of other cyber-security firms, such as Emissary Panda, APT27, Threat Group 3390, Bronze Union, ZipToken, and Iron Tiger",
"meta": {
"cfr-suspected-state-sponsor": "Unknown",
"cfr-suspected-victims": [
"United States",
"Japan",
"Taiwan",
"India",
"Canada",
"China",
"Thailand",
"Israel",
"Australia",
"Republic of Korea",
"Russia",
"Iran"
],
"cfr-target-category": [
"Government",
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/",
"https://www.secureworks.com/research/bronze-union",
@ -5347,26 +5367,6 @@
"Bronze Union",
"ZipToken",
"Iron Tiger"
],
"cfr-suspected-victims": [
"United States",
"Japan",
"Taiwan",
"India",
"Canada",
"China",
"Thailand",
"Israel",
"Australia",
"Republic of Korea",
"Russia",
"Iran"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector"
]
},
"related": [
@ -5398,24 +5398,24 @@
{
"description": "The Rancor groups attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.",
"meta": {
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"Singapore",
"Cambodia"
],
"cfr-target-category": [
"Government",
"Civil society"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/",
"https://www.cfr.org/interactive/cyber-operations/rancor"
],
"synonyms": [
"Rancor group"
],
"cfr-suspected-victims": [
"Singapore",
"Cambodia"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Civil society"
],
"country": "CN"
]
},
"uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b",
"value": "RANCOR"
@ -5473,8 +5473,6 @@
"value": "RedAlpha"
},
{
"value": "APT-C-35",
"uuid": "b9dc4e81-909f-4324-8b25-a0f359cd88e0",
"description": "In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organizations new attack activity, confirmed and exposed the gangs targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization",
"meta": {
"refs": [
@ -5483,36 +5481,34 @@
"synonyms": [
"DoNot Team"
]
}
},
"uuid": "b9dc4e81-909f-4324-8b25-a0f359cd88e0",
"value": "APT-C-35"
},
{
"value": "TempTick",
"description": "This threat actor targets organizations in the finance, defense, aerospace, technology, health-care, and automotive sectors and media organizations in East Asia for the purpose of espionage. Believed to be responsible for the targeting of South Korean actors prior to the meeting of Donald J. Trump and Kim Jong-un",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/temptick"
],
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"South Korea",
"Japan"
],
"cfr-suspected-state-sponsor": "China",
"cfr-target-category": [
"Government",
"Private sector"
],
"country": "CN"
"country": "CN",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/temptick"
]
},
"uuid": "3f3ff6de-a6a7-11e8-92b4-3743eb1c7762"
"uuid": "3f3ff6de-a6a7-11e8-92b4-3743eb1c7762",
"value": "TempTick"
},
{
"value": "Operation Parliament",
"description": "This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/operation-parliament",
"https://securelist.com/operation-parliament-who-is-doing-what/85237/"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-suspected-victims": [
"Palestine",
"United Arab Emirates",
@ -5542,22 +5538,23 @@
"Oman",
"Denmark"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Civil society"
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/operation-parliament",
"https://securelist.com/operation-parliament-who-is-doing-what/85237/"
]
},
"uuid": "e20e8eb8-a6b4-11e8-8a92-6ba6e7540c6d"
"uuid": "e20e8eb8-a6b4-11e8-8a92-6ba6e7540c6d",
"value": "Operation Parliament"
},
{
"value": "Inception Framework",
"description": "This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/inception-framework"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-suspected-victims": [
"South Africa",
"Malaysia",
@ -5565,22 +5562,22 @@
"Suriname",
"United Kingdom"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/inception-framework"
]
},
"uuid": "71ef51ca-a791-11e8-a026-07980ca910ca"
"uuid": "71ef51ca-a791-11e8-a026-07980ca910ca",
"value": "Inception Framework"
},
{
"value": "Winnti Umbrella",
"description": "This threat actor targets software companies and political organizations in the United States, China, Japan, and South Korea. It primarily acts to support cyber operations conducted by other threat actors affiliated with Chinese intelligence services.\nBelieved to be associated with the Axiom, APT 17, and Mirage threat actors. Believed to share the same tools and infrastructure as the threat actors that carried out Operation Aurora, the 2015 targeting of video game companies, the 2015 targeting of the Thai government, and the 2017 targeting of Chinese-language news websites",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/winnti-umbrella"
],
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States",
"South Korea",
@ -5588,14 +5585,15 @@
"China",
"Japan"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
],
"country": "CN"
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/winnti-umbrella"
]
},
"uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10",
"related": [
{
"dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
@ -5618,26 +5616,26 @@
],
"type": "similar"
}
]
],
"uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10",
"value": "Winnti Umbrella"
},
{
"value": "HenBox",
"description": "This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile phone manufacturer Xiaomi, for espionage purposes.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/henbox"
],
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"Uighurs"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Civil society"
],
"country": "CN"
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/henbox"
]
},
"uuid": "36ee04f4-a9df-11e8-b92b-d7ddfd3a8896",
"related": [
{
"dest-uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§",
@ -5646,53 +5644,52 @@
],
"type": "similar"
}
]
],
"uuid": "36ee04f4-a9df-11e8-b92b-d7ddfd3a8896",
"value": "HenBox"
},
{
"value": "Mustang Panda",
"description": "This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/mustang-panda"
],
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Civil society"
],
"country": "CN"
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/mustang-panda"
]
},
"uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339"
"uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339",
"value": "Mustang Panda"
},
{
"value": "Thrip",
"description": "This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/thrip",
"https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-suspected-victims": [
"United States"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/thrip",
"https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets"
]
},
"uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc"
"uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc",
"value": "Thrip"
},
{
"value": " Stealth Mango and Tangelo ",
"description": "This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/stealth-mango-and-tangelo"
],
"cfr-suspected-state-sponsor": "Pakistan",
"cfr-suspected-victims": [
"Pakistan",
"Iraq",
@ -5703,28 +5700,30 @@
"India",
"United States"
],
"cfr-suspected-state-sponsor": "Pakistan",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Civil society"
],
"country": "PK"
"cfr-type-of-incident": "Espionage",
"country": "PK",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/stealth-mango-and-tangelo"
]
},
"uuid": "f82b352e-a9f8-11e8-8be8-fbcf6eddd58c"
"uuid": "f82b352e-a9f8-11e8-8be8-fbcf6eddd58c",
"value": " Stealth Mango and Tangelo "
},
{
"value": "PowerPool",
"description": "Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online.\n\nA security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler.\n\nMore specifically, the problem is with the SchRpcSetSecurity API function, which fails to properly check user's permissions, allowing write privileges on files in C:\\Windows\\Task.\n\nThe vulnerability affects Windows versions 7 through 10 and can be used by an attacker to escalate their privileges to all-access SYSTEM account level.\n\nA couple of days after the exploit code became available (source and binary), malware researchers at ESET noticed its use in active malicious campaigns from a threat actor they call PowerPool, because of their tendency to use tools mostly written in PowerShell for lateral movement.\n\nThe group appears to have a small number of victims in the following countries: Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.\n\nThe researchers say that PowerPool developers did not use the binary version of the exploit, deciding instead to make some subtle changes to the source code before recompiling it.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/"
]
},
"uuid": "abd89986-b1b0-11e8-b857-efe290264006"
"uuid": "abd89986-b1b0-11e8-b857-efe290264006",
"value": "PowerPool"
},
{
"value": "Bahamut",
"description": "Bahamut is a threat actor primarily operating in Middle East and Central Asia, suspected to be a private contractor to several state sponsored actors. They were observed conduct phishing as well as desktop and mobile malware campaigns.",
"meta": {
"refs": [
@ -5732,10 +5731,10 @@
"https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/"
]
},
"uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7"
"uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7",
"value": "Bahamut"
},
{
"value": "Iron Group",
"description": "Iron group has developed multiple types of malware (backdoors, crypto-miners, and ransomware) for Windows, Linux and Android platforms. They have used their malware to successfully infect, at least, a few thousand victims.",
"meta": {
"refs": [
@ -5745,40 +5744,35 @@
"Iron Cyber Group"
]
},
"uuid": "6a0ea861-229a-45a6-98f5-228f69b43905"
"uuid": "6a0ea861-229a-45a6-98f5-228f69b43905",
"value": "Iron Group"
},
{
"value": "Operation BugDrop",
"description": "This threat actor targets critical infrastructure entities in the oil and gas sector, primarily in Ukraine. The threat actors deploy the BugDrop malware to remotely access the microphones in their targets' computers to eavesdrop on conversations.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/operation-bugdrop"
],
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"Ukraine",
"Austria",
"Russia",
"Saudi Arabia"
],
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
],
"country": "RU"
"cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/operation-bugdrop"
]
},
"uuid": "75ae52b2-bca3-11e8-af90-a78f33eee6c1"
"uuid": "75ae52b2-bca3-11e8-af90-a78f33eee6c1",
"value": "Operation BugDrop"
},
{
"value": "Red October",
"description": "This threat actor targets governments, diplomatic missions, academics, and energy and aerospace organizations for the purpose of espionage. Also known as the Rocra and believed to be the same threat actor as Cloud Atlas",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/red-october"
],
"synonyms": [
"the Rocra"
],
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"Russia",
"Belgium",
@ -5796,15 +5790,19 @@
"Vietnam",
"Italy"
],
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector"
],
"country": "RU"
"cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/red-october"
],
"synonyms": [
"the Rocra"
]
},
"uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0",
"related": [
{
"dest-uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126",
@ -5813,15 +5811,14 @@
],
"type": "same-as"
}
]
],
"uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0",
"value": "Red October"
},
{
"value": "Cloud Atlas",
"description": "This threat actor targets governments and diplomatic organizations for espionage purposes.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/cloud-atlas"
],
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"Russia",
"India",
@ -5829,14 +5826,15 @@
"Czech Republic",
"Belarus"
],
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government"
],
"country": "RU"
"cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/cloud-atlas"
]
},
"uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126",
"related": [
{
"dest-uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0",
@ -5845,33 +5843,34 @@
],
"type": "same-as"
}
]
],
"uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126",
"value": "Cloud Atlas"
},
{
"value": "Unnamed Actor",
"description": "This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission. ",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/unnamed-actor"
],
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"China",
"Myanmar",
"Hong Kong",
"Taiwan"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Civil society",
"Government"
],
"country": "CN"
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/unnamed-actor"
]
},
"uuid": "bea5e256-bcc0-11e8-a478-bbf7e7585a1e"
"uuid": "bea5e256-bcc0-11e8-a478-bbf7e7585a1e",
"value": "Unnamed Actor"
},
{
"value": "COBALT DICKENS",
"description": "”A threat group associated with the Iranian government. The threat group created lookalike domains to phish targets and used credentials to steal intellectual property from specific resources, including library systems.”",
"meta": {
"refs": [
@ -5882,10 +5881,10 @@
"Cobalt Dickens"
]
},
"uuid": "6c79bd1a-bfde-11e8-8c33-db4d9968671a"
"uuid": "6c79bd1a-bfde-11e8-8c33-db4d9968671a",
"value": "COBALT DICKENS"
},
{
"value": "MageCart",
"description": "Digital threat management company RiskIQ tracks the activity of MageCart group and reported their use of web-based card skimmers since 2016.",
"meta": {
"refs": [
@ -5893,22 +5892,21 @@
"https://www.bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script/"
]
},
"uuid": "0768fd50-c547-11e8-9aa5-776183769eab"
"uuid": "0768fd50-c547-11e8-9aa5-776183769eab",
"value": "MageCart"
},
{
"value": "Domestic Kitten",
"description": "An extensive surveillance operation targets specific groups of individuals with malicious mobile apps that collect sensitive information on the device along with surrounding voice recordings. Researchers with CheckPoint discovered the attack and named it Domestic Kitten. The targets are Kurdish and Turkish natives, and ISIS supporters, all Iranian citizens.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/"
]
},
"uuid": "dda1b28e-c558-11e8-8666-27cf61d1d7ee"
"uuid": "dda1b28e-c558-11e8-8666-27cf61d1d7ee",
"value": "Domestic Kitten"
},
{
"value": "FASTCash",
"description": "Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.",
"uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85",
"related": [
{
"dest-uuid": "e306fe62-c708-11e8-89f2-073e396e5403",
@ -5917,7 +5915,9 @@
],
"type": "similar"
}
]
],
"uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85",
"value": "FASTCash"
}
],
"version": 69

68
clusters/tool.json
View File

@ -4210,14 +4210,14 @@
"value": "KONNI"
},
{
"value": "NOKKI",
"uuid": "9e4fd0d3-9736-421c-b1e1-96c1d3665c80",
"description": "Beginning in early 2018, Unit 42 observed a series of attacks using a previously unreported malware family, which we have named NOKKI. The malware in question has ties to a previously reported malware family named KONNI, however, after careful consideration, we believe enough differences are present to introduce a different malware family name. To reflect the close relationship with KONNI, we chose NOKKI, swapping KONNIs Ns and Ks. Because of code overlap found within both malware families, as well as infrastructure overlap, we believe the threat actors responsible for KONNI are very likely also responsible for NOKKI. Previous reports stated it was likely KONNI had been in use for over three years in multiple campaigns with a heavy interest in the Korean peninsula and surrounding areas. As of this writing, it is not certain if the KONNI or NOKKI operators are related to known adversary groups operating in the regions of interest, although there is evidence of a tenuous relationship with a group known as Reaper.",
"meta": {
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/"
]
}
},
"uuid": "9e4fd0d3-9736-421c-b1e1-96c1d3665c80",
"value": "NOKKI"
},
{
"description": "Recently, Palo Alto Networks researchers discovered an advanced Android malware weve named “SpyDealer” which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature. SpyDealer uses exploits from a commercial rooting app to gain root privilege, which enables the subsequent data theft.",
@ -5748,17 +5748,16 @@
"value": "KEYMARBLE"
},
{
"value": "BISKVIT",
"description": "The BISKVIT Trojan is a multi-component malware written in C#. We dubbed this malware BISKVIT based on the namespaces used in the code, which contain the word “biscuit”. Unfortunately, there is already an existing unrelated malware called BISCUIT, so BISKVIT is used instead, which is the Russian translation of biscuit.",
"meta": {
"refs": [
"https://www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html"
]
},
"uuid": "69ed8a69-8b33-4195-9b21-a1f4cd76acde"
"uuid": "69ed8a69-8b33-4195-9b21-a1f4cd76acde",
"value": "BISKVIT"
},
{
"value": "Sirefef",
"description": "This family of malware uses stealth to hide its presence on your PC. Trojans in this family can do different things, including: -Downloading and running other files -Contacting remote hosts -Disabling security features\nMembers of the family can also change search results, which can generate money for the hackers who use Sirefef.",
"meta": {
"refs": [
@ -5768,28 +5767,23 @@
"Win32/Sirefef"
]
},
"uuid": "641464a6-b690-11e8-976e-bffc9a17c6a4"
"uuid": "641464a6-b690-11e8-976e-bffc9a17c6a4",
"value": "Sirefef"
},
{
"value": "MagentoCore Malware",
"description": "A Dutch security researcher has lifted the veil on a massive website hacking campaign that has infected 7,339 Magento stores with a script that collects payment card data from people shopping on the sites.\nThe script is what industry experts call a \"payment card scraper\" or \"skimmer.\" Hackers breach sites and modify their source code to load the script along with its legitimate files.\nThe script usually loads on store checkout pages and secretly records payment card details entered in payment forms, data that it later sends to a server under the hacker's control.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/magentocore-malware-found-on-7-339-magento-stores/"
]
},
"uuid": "df05f528-bb57-11e8-9fd4-8320e14151f2"
"uuid": "df05f528-bb57-11e8-9fd4-8320e14151f2",
"value": "MagentoCore Malware"
},
{
"value": "NotPetya",
"description": "Threat actors deploy a tool, called NotPetya, with the purpose of encrypting data on victims' machines and rendering it unusable. The malware was spread through tax software that companies and individuals require for filing taxes in Ukraine. Australia, Estonia, Denmark, Lithuania, Ukraine, the United Kingdom, and the United States issued statements attributing NotPetya to Russian state-sponsored actors. In June 2018, the United States sanctioned Russian organizations believed to have assisted the Russian state-sponsored actors with the operation.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/notpetya"
],
"synonyms": [
"Not Petya"
],
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"Rosneft",
"Cie de Saint-Gobain",
@ -5802,59 +5796,63 @@
"Merck",
"Kyivenergo"
],
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-type-of-incident": "Data destruction",
"cfr-target-category": [
"Government",
"Private sector"
],
"cfr-type-of-incident": "Data destruction",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/notpetya"
],
"synonyms": [
"Not Petya"
]
},
"uuid": "00c31914-bc0e-11e8-8241-3ff3b5e4671d"
"uuid": "00c31914-bc0e-11e8-8241-3ff3b5e4671d",
"value": "NotPetya"
},
{
"value": "Xbash",
"description": "Xbash is a malware family that is targeting Linux and Microsoft Windows servers. We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks.",
"meta": {
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"
]
},
"uuid": "10c981cc-4ef1-4719-8ed7-c5e4c2f6c7a3"
"uuid": "10c981cc-4ef1-4719-8ed7-c5e4c2f6c7a3",
"value": "Xbash"
},
{
"value": "LoJax",
"description": "rootkit for the Unified Extensible Firmware Interface (UEFI). Used by APT28. The researchers named the rootkit LoJax, after the malicious samples of the LoJack anti-theft software that were discovered earlier this year.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/"
]
},
"uuid": "6d53a74e-c8a5-11e8-a123-332e4eaac9bb"
"uuid": "6d53a74e-c8a5-11e8-a123-332e4eaac9bb",
"value": "LoJax"
},
{
"value": "Chainshot",
"description": "The new piece of malware, which received the name Chainshot, is used in the early stages of an attack to activate a downloader for the final payload in a malicious chain reaction.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/new-chainshot-malware-found-by-cracking-512-bit-rsa-key/"
]
},
"uuid": "a032460e-c54c-11e8-9965-43b7b6469a65"
"uuid": "a032460e-c54c-11e8-9965-43b7b6469a65",
"value": "Chainshot"
},
{
"value": "CroniX",
"description": "The researchers named this campaign CroniX, a moniker that derives from the malware's use of Cron to achieve persistence and Xhide to launch executables with fake process names. The cryptocurrency minted on victim's computers is Monero (XMR), the coin of choice in cryptojacking activities. To make sure that rival activity does not revive, CroniX deletes the binaries of other cryptominers present on the system. Another action CroniX takes to establish supremacy on the machine is to check the names of the processes and kill those that swallow 60% of the CPU or more.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/cronix-cryptominer-kills-rivals-to-reign-supreme/"
]
},
"uuid": "55d29d1c-c550-11e8-9904-47c1d86af7c5"
"uuid": "55d29d1c-c550-11e8-9904-47c1d86af7c5",
"value": "CroniX"
},
{
"value": "FASTCash",
"description": "Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.",
"uuid": "e306fe62-c708-11e8-89f2-073e396e5403",
"related": [
{
"dest-uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85",
@ -5863,26 +5861,28 @@
],
"type": "similar"
}
]
],
"uuid": "e306fe62-c708-11e8-89f2-073e396e5403",
"value": "FASTCash"
},
{
"value": "ZEBROCY",
"description": "ZEBROCY is a tool used by APT28, which has been observed since late 2015. The communications module used by ZEBROCY transmits using HTTP. The implant has key logging and file exfiltration functionality and utilises a file collection capability that identifies files with particular extensions.",
"meta": {
"refs": [
"https://www.ncsc.gov.uk/alerts/indicators-compromise-malware-used-apt28"
]
},
"uuid": "8a2ae47a-c7b2-11e8-b223-ab4d8f78f3ef"
"uuid": "8a2ae47a-c7b2-11e8-b223-ab4d8f78f3ef",
"value": "ZEBROCY"
},
{
"value": "CoalaBot",
"meta": {
"refs:": [
"https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html"
]
},
"uuid": "92628a72-c874-11e8-a094-ebbb3bd1f412"
"uuid": "92628a72-c874-11e8-a094-ebbb3bd1f412",
"value": "CoalaBot"
}
],
"version": 93

8
galaxies/android.json
View File

@ -1,9 +1,9 @@
{
"description": "Android malware galaxy based on multiple open sources.",
"type": "android",
"version": 3,
"name": "Android",
"icon": "android",
"name": "Android",
"namespace": "misp",
"type": "android",
"uuid": "84310ba3-fa6a-44aa-b378-b9e3271c58fa",
"namespace": "misp"
"version": 3
}

8
galaxies/backdoor.json
View File

@ -1,9 +1,9 @@
{
"description": "Malware Backdoor galaxy.",
"type": "backdoor",
"version": 1,
"name": "Backdoor",
"icon": "door-open",
"name": "Backdoor",
"namespace": "misp",
"type": "backdoor",
"uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf",
"namespace": "misp"
"version": 1
}

8
galaxies/banker.json
View File

@ -1,9 +1,9 @@
{
"description": "Banking malware galaxy.",
"type": "banker",
"version": 3,
"name": "Banker",
"icon": "usd",
"name": "Banker",
"namespace": "misp",
"type": "banker",
"uuid": "59f20cce-5420-4084-afd5-0884c0a83832",
"namespace": "misp"
"version": 3
}

8
galaxies/botnet.json
View File

@ -1,9 +1,9 @@
{
"description": "Botnet galaxy.",
"type": "botnet",
"version": 2,
"name": "Botnet",
"icon": "sitemap",
"name": "Botnet",
"namespace": "misp",
"type": "botnet",
"uuid": "90ccdf38-1649-11e8-b8bf-e7326d553087",
"namespace": "misp"
"version": 2
}

8
galaxies/branded_vulnerability.json
View File

@ -1,9 +1,9 @@
{
"description": "List of known vulnerabilities and exploits",
"type": "branded-vulnerability",
"version": 2,
"name": "Branded Vulnerability",
"icon": "bug",
"name": "Branded Vulnerability",
"namespace": "misp",
"type": "branded-vulnerability",
"uuid": "fda8c7c2-f45a-11e7-9713-e75dac0492df",
"namespace": "misp"
"version": 2
}

8
galaxies/cert-eu-govsector.json
View File

@ -1,9 +1,9 @@
{
"type": "cert-eu-govsector",
"name": "Cert EU GovSector",
"description": "Cert EU GovSector",
"version": 2,
"icon": "globe",
"name": "Cert EU GovSector",
"namespace": "misp",
"type": "cert-eu-govsector",
"uuid": "68858a48-b898-11e7-91ce-bf424ef9b662",
"namespace": "misp"
"version": 2
}

8
galaxies/exploit-kit.json
View File

@ -1,9 +1,9 @@
{
"type": "exploit-kit",
"name": "Exploit-Kit",
"description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years",
"version": 4,
"icon": "internet-explorer",
"name": "Exploit-Kit",
"namespace": "misp",
"type": "exploit-kit",
"uuid": "6ab240ec-bd79-11e6-a4a6-cec0c932ce01",
"namespace": "misp"
"version": 4
}

8
galaxies/malpedia.json
View File

@ -1,9 +1,9 @@
{
"description": "Malware galaxy based on Malpedia archive.",
"type": "malpedia",
"version": 1,
"name": "Malpedia",
"icon": "shield",
"name": "Malpedia",
"namespace": "misp",
"type": "malpedia",
"uuid": "1d1c9af9-37fa-4deb-a928-f9b0abc7354a",
"namespace": "misp"
"version": 1
}

8
galaxies/microsoft-activity-group.json
View File

@ -1,9 +1,9 @@
{
"name": "Microsoft Activity Group actor",
"type": "microsoft-activity-group",
"description": "Activity groups as described by Microsoft",
"version": 3,
"icon": "user-secret",
"name": "Microsoft Activity Group actor",
"namespace": "misp",
"type": "microsoft-activity-group",
"uuid": "74c869e8-0b8e-4e5f-96e6-cd992e07a505",
"namespace": "misp"
"version": 3
}

10
galaxies/mitre-attack-pattern.json
View File

@ -1,9 +1,9 @@
{
"description": "ATT&CK Tactic",
"uuid": "c4e851fa-775f-11e7-8163-b774922098cd",
"version": 5,
"type": "mitre-attack-pattern",
"name": "Attack Pattern",
"icon": "map",
"namespace": "deprecated"
"name": "Attack Pattern",
"namespace": "deprecated",
"type": "mitre-attack-pattern",
"uuid": "c4e851fa-775f-11e7-8163-b774922098cd",
"version": 5
}

6
galaxies/mitre-course-of-action.json
View File

@ -1,9 +1,9 @@
{
"version": 6,
"description": "ATT&CK Mitigation",
"icon": "chain",
"name": "Course of Action",
"description": "ATT&CK Mitigation",
"namespace": "deprecated",
"type": "mitre-course-of-action",
"uuid": "6fcb4472-6de4-11e7-b5f7-37771619e14e",
"namespace": "deprecated"
"version": 6
}

10
galaxies/mitre-enterprise-attack-attack-pattern.json
View File

@ -1,9 +1,9 @@
{
"name": "Enterprise Attack - Attack Pattern",
"type": "mitre-enterprise-attack-attack-pattern",
"description": "ATT&CK Tactic",
"uuid": "fa7016a8-1707-11e8-82d0-1b73d76eb204",
"version": 4,
"icon": "map",
"namespace": "mitre-attack"
"name": "Enterprise Attack - Attack Pattern",
"namespace": "mitre-attack",
"type": "mitre-enterprise-attack-attack-pattern",
"uuid": "fa7016a8-1707-11e8-82d0-1b73d76eb204",
"version": 4
}

10
galaxies/mitre-enterprise-attack-course-of-action.json
View File

@ -1,9 +1,9 @@
{
"name": "Enterprise Attack - Course of Action",
"type": "mitre-enterprise-attack-course-of-action",
"description": "ATT&CK Mitigation",
"uuid": "fb5a36c0-1707-11e8-81f5-d732b22a4982",
"version": 4,
"icon": "chain",
"namespace": "mitre-attack"
"name": "Enterprise Attack - Course of Action",
"namespace": "mitre-attack",
"type": "mitre-enterprise-attack-course-of-action",
"uuid": "fb5a36c0-1707-11e8-81f5-d732b22a4982",
"version": 4
}

10
galaxies/mitre-enterprise-attack-intrusion-set.json
View File

@ -1,9 +1,9 @@
{
"name": "Enterprise Attack -Intrusion Set",
"type": "mitre-enterprise-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"uuid": "1f3b8c56-1708-11e8-b211-17a60c0f73ee",
"version": 4,
"icon": "user-secret",
"namespace": "mitre-attack"
"name": "Enterprise Attack -Intrusion Set",
"namespace": "mitre-attack",
"type": "mitre-enterprise-attack-intrusion-set",
"uuid": "1f3b8c56-1708-11e8-b211-17a60c0f73ee",
"version": 4
}

10
galaxies/mitre-enterprise-attack-malware.json
View File

@ -1,9 +1,9 @@
{
"name": "Enterprise Attack - Malware",
"type": "mitre-enterprise-attack-malware",
"description": "Name of ATT&CK software",
"uuid": "fbb19af0-1707-11e8-9fd6-dbd88a04d33a",
"version": 4,
"icon": "optin-monster",
"namespace": "mitre-attack"
"name": "Enterprise Attack - Malware",
"namespace": "mitre-attack",
"type": "mitre-enterprise-attack-malware",
"uuid": "fbb19af0-1707-11e8-9fd6-dbd88a04d33a",
"version": 4
}

10
galaxies/mitre-enterprise-attack-relationship.json
View File

@ -1,9 +1,9 @@
{
"name": "Enterprise Attack - Relationship",
"type": "mitre-enterprise-attack-relationship",
"description": "Mitre Relationship",
"uuid": "fc404638-1707-11e8-a5cf-b78b9b562766",
"version": 4,
"icon": "link",
"namespace": "mitre-attack"
"name": "Enterprise Attack - Relationship",
"namespace": "mitre-attack",
"type": "mitre-enterprise-attack-relationship",
"uuid": "fc404638-1707-11e8-a5cf-b78b9b562766",
"version": 4
}

10
galaxies/mitre-enterprise-attack-tool.json
View File

@ -1,9 +1,9 @@
{
"name": "Enterprise Attack - Tool",
"type": "mitre-enterprise-attack-tool",
"description": "Name of ATT&CK software",
"uuid": "fbfa0470-1707-11e8-be22-eb46b373fdd3",
"version": 4,
"icon": "gavel",
"namespace": "mitre-attack"
"name": "Enterprise Attack - Tool",
"namespace": "mitre-attack",
"type": "mitre-enterprise-attack-tool",
"uuid": "fbfa0470-1707-11e8-be22-eb46b373fdd3",
"version": 4
}

8
galaxies/mitre-intrusion-set.json
View File

@ -1,9 +1,9 @@
{
"uuid": "1023f364-7831-11e7-8318-43b5531983ab",
"description": "Name of ATT&CK Group",
"version": 7,
"icon": "user-secret",
"type": "mitre-intrusion-set",
"name": "Intrusion Set",
"namespace": "deprecated"
"namespace": "deprecated",
"type": "mitre-intrusion-set",
"uuid": "1023f364-7831-11e7-8318-43b5531983ab",
"version": 7
}

12
galaxies/mitre-malware.json
View File

@ -1,9 +1,9 @@
{
"type": "mitre-malware",
"version": 5,
"name": "Malware",
"uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4",
"icon": "optin-monster",
"description": "Name of ATT&CK software",
"namespace": "deprecated"
"icon": "optin-monster",
"name": "Malware",
"namespace": "deprecated",
"type": "mitre-malware",
"uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4",
"version": 5
}

10
galaxies/mitre-mobile-attack-attack-pattern.json
View File

@ -1,9 +1,9 @@
{
"name": "Mobile Attack - Attack Pattern",
"type": "mitre-mobile-attack-attack-pattern",
"description": "ATT&CK Tactic",
"uuid": "1c6d1332-1708-11e8-847c-e3c5643c41a5",
"version": 4,
"icon": "map",
"namespace": "mitre-attack"
"name": "Mobile Attack - Attack Pattern",
"namespace": "mitre-attack",
"type": "mitre-mobile-attack-attack-pattern",
"uuid": "1c6d1332-1708-11e8-847c-e3c5643c41a5",
"version": 4
}

10
galaxies/mitre-mobile-attack-course-of-action.json
View File

@ -1,9 +1,9 @@
{
"name": "Mobile Attack - Course of Action",
"type": "mitre-mobile-attack-course-of-action",
"description": "ATT&CK Mitigation",
"uuid": "0282356a-1708-11e8-8f53-975633d5c03c",
"version": 4,
"icon": "chain",
"namespace": "mitre-attack"
"name": "Mobile Attack - Course of Action",
"namespace": "mitre-attack",
"type": "mitre-mobile-attack-course-of-action",
"uuid": "0282356a-1708-11e8-8f53-975633d5c03c",
"version": 4
}

10
galaxies/mitre-mobile-attack-intrusion-set.json
View File

@ -1,9 +1,9 @@
{
"name": "Mobile Attack - Intrusion Set",
"type": "mitre-mobile-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"uuid": "0314e554-1708-11e8-b049-8f8a42b5bb62",
"version": 4,
"icon": "user-secret",
"namespace": "mitre-attack"
"name": "Mobile Attack - Intrusion Set",
"namespace": "mitre-attack",
"type": "mitre-mobile-attack-intrusion-set",
"uuid": "0314e554-1708-11e8-b049-8f8a42b5bb62",
"version": 4
}

10
galaxies/mitre-mobile-attack-malware.json
View File

@ -1,9 +1,9 @@
{
"name": "Mobile Attack - Malware",
"type": "mitre-mobile-attack-malware",
"description": "Name of ATT&CK software",
"uuid": "03e3853a-1708-11e8-95c1-67cf3f801a18",
"version": 4,
"icon": "optin-monster",
"namespace": "mitre-attack"
"name": "Mobile Attack - Malware",
"namespace": "mitre-attack",
"type": "mitre-mobile-attack-malware",
"uuid": "03e3853a-1708-11e8-95c1-67cf3f801a18",
"version": 4
}

10
galaxies/mitre-mobile-attack-relationship.json
View File

@ -1,9 +1,9 @@
{
"name": "Mobile Attack - Relationship",
"type": "mitre-mobile-attack-relationship",
"description": "Mitre Relationship",
"uuid": "fc8471aa-1707-11e8-b306-33cbe96a1ede",
"version": 4,
"icon": "link",
"namespace": "mitre-attack"
"name": "Mobile Attack - Relationship",
"namespace": "mitre-attack",
"type": "mitre-mobile-attack-relationship",
"uuid": "fc8471aa-1707-11e8-b306-33cbe96a1ede",
"version": 4
}

10
galaxies/mitre-mobile-attack-tool.json
View File

@ -1,9 +1,9 @@
{
"name": "Mobile Attack - Tool",
"type": "mitre-mobile-attack-tool",
"description": "Name of ATT&CK software",
"uuid": "1d0b4bce-1708-11e8-9e6e-1b130c9b0a91",
"version": 4,
"icon": "gavel",
"namespace": "mitre-attack"
"name": "Mobile Attack - Tool",
"namespace": "mitre-attack",
"type": "mitre-mobile-attack-tool",
"uuid": "1d0b4bce-1708-11e8-9e6e-1b130c9b0a91",
"version": 4
}

10
galaxies/mitre-pre-attack-attack-pattern.json
View File

@ -1,9 +1,9 @@
{
"name": "Pre Attack - Attack Pattern",
"type": "mitre-pre-attack-attack-pattern",
"description": "ATT&CK Tactic",
"uuid": "1f665850-1708-11e8-9cfe-4792b2a91402",
"version": 4,
"icon": "map",
"namespace": "mitre-attack"
"name": "Pre Attack - Attack Pattern",
"namespace": "mitre-attack",
"type": "mitre-pre-attack-attack-pattern",
"uuid": "1f665850-1708-11e8-9cfe-4792b2a91402",
"version": 4
}

10
galaxies/mitre-pre-attack-intrusion-set.json
View File

@ -1,9 +1,9 @@
{
"name": "Pre Attack - Intrusion Set",
"type": "mitre-pre-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"uuid": "1fb6d5b4-1708-11e8-9836-8bbc8ce6866e",
"version": 4,
"icon": "user-secret",
"namespace": "mitre-attack"
"name": "Pre Attack - Intrusion Set",
"namespace": "mitre-attack",
"type": "mitre-pre-attack-intrusion-set",
"uuid": "1fb6d5b4-1708-11e8-9836-8bbc8ce6866e",
"version": 4
}

8
galaxies/mitre-pre-attack-relationship.json
View File

@ -1,9 +1,9 @@
{
"uuid": "1f8e3bae-1708-11e8-8e97-4bd2150e5aae",
"description": "Mitre Relationship",
"version": 5,
"icon": "link",
"type": "mitre-pre-attack-relationship",
"name": "Pre Attack - Relationship",
"namespace": "mitre-attack"
"namespace": "mitre-attack",
"type": "mitre-pre-attack-relationship",
"uuid": "1f8e3bae-1708-11e8-8e97-4bd2150e5aae",
"version": 5
}

8
galaxies/mitre-tool.json
View File

@ -1,9 +1,9 @@
{
"name": "Tool",
"type": "mitre-tool",
"description": "Name of ATT&CK software",
"icon": "gavel",
"version": 5,
"name": "Tool",
"namespace": "deprecated",
"type": "mitre-tool",
"uuid": "d5cbd1a2-78f6-11e7-a833-7b9bccca9649",
"namespace": "deprecated"
"version": 5
}

8
galaxies/preventive-measure.json
View File

@ -1,9 +1,9 @@
{
"name": "Preventive Measure",
"type": "preventive-measure",
"description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.",
"version": 3,
"icon": "shield",
"name": "Preventive Measure",
"namespace": "misp",
"type": "preventive-measure",
"uuid": "8168995b-adcd-4684-9e37-206c5771505a",
"namespace": "misp"
"version": 3
}

8
galaxies/ransomware.json
View File

@ -1,9 +1,9 @@
{
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml",
"type": "ransomware",
"version": 4,
"name": "Ransomware",
"icon": "btc",
"name": "Ransomware",
"namespace": "misp",
"type": "ransomware",
"uuid": "3f44af2e-1480-4b6b-9aa8-f9bb21341078",
"namespace": "misp"
"version": 4
}

8
galaxies/rat.json
View File

@ -1,9 +1,9 @@
{
"type": "rat",
"name": "RAT",
"description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.",
"version": 3,
"icon": "eye",
"name": "RAT",
"namespace": "misp",
"type": "rat",
"uuid": "06825db6-4797-11e7-ac4d-af25fdcdd299",
"namespace": "misp"
"version": 3
}

8
galaxies/sector.json
View File

@ -1,9 +1,9 @@
{
"type": "sector",
"name": "Sector",
"description": "Activity sectors",
"version": 2,
"icon": "industry",
"name": "Sector",
"namespace": "misp",
"type": "sector",
"uuid": "e1bb134c-ae4d-11e7-8aa9-f78a37325439",
"namespace": "misp"
"version": 2
}

8
galaxies/stealer.json
View File

@ -1,9 +1,9 @@
{
"description": "Malware stealer galaxy.",
"type": "stealer",
"version": 1,
"name": "Stealer",
"icon": "key",
"name": "Stealer",
"namespace": "misp",
"type": "stealer",
"uuid": "f2ef4033-9001-4427-a418-df8c48e6d054",
"namespace": "misp"
"version": 1
}

8
galaxies/tds.json
View File

@ -1,9 +1,9 @@
{
"type": "tds",
"name": "TDS",
"description": "TDS is a list of Traffic Direction System used by adversaries",
"version": 4,
"icon": "cart-arrow-down",
"name": "TDS",
"namespace": "misp",
"type": "tds",
"uuid": "1b9a7d8e-bd7a-11e6-a4a6-cec0c932ce01",
"namespace": "misp"
"version": 4
}

8
galaxies/threat-actor.json
View File

@ -1,9 +1,9 @@
{
"name": "Threat Actor",
"type": "threat-actor",
"description": "Threat actors are characteristics of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behaviour.",
"version": 3,
"icon": "user-secret",
"name": "Threat Actor",
"namespace": "misp",
"type": "threat-actor",
"uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3",
"namespace": "misp"
"version": 3
}

8
galaxies/tool.json
View File

@ -1,9 +1,9 @@
{
"type": "tool",
"name": "Tool",
"description": "Threat actors tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"version": 3,
"icon": "optin-monster",
"name": "Tool",
"namespace": "misp",
"type": "tool",
"uuid": "9b8037f7-bc8f-4de1-a797-37266619bc0b",
"namespace": "misp"
"version": 3
}

5
jq_all_the_things.sh
View File

@ -6,6 +6,7 @@
for dir in `find . -name "*.json"`
do
echo validating ${dir}
# python3 -c "import json; f_in = open('${dir}'); data = json.load(f_in); f_in.close(); f_out = open('${dir}', 'w'); json.dump(data, f_out, indent=2, sort_keys=True, ensure_ascii=False); f_out.close();"
cat ${dir} | jq . >/dev/null
rc=$?
if [[ $rc != 0 ]]; then exit $rc; fi
@ -17,13 +18,13 @@ set -x
for dir in clusters/*.json
do
# Beautify it
cat ${dir} | jq . | sponge ${dir}
cat ${dir} | jq --sort-keys . | sponge ${dir}
done
for dir in galaxies/*.json
do
# Beautify it
cat ${dir} | jq . | sponge ${dir}
cat ${dir} | jq --sort-keys . | sponge ${dir}
done
cat schema_clusters.json | jq . | sponge schema_clusters.json